What is IdentityFirst?

IdentityFirst is a shared identity security product family. MRI is the current GA offer: a read-only assessment-led service for identity discovery, risk scoring, and reporting. Core is the next governed release path in the same product family. Enhanced and AISF are beta-only surfaces for approved testers under written beta terms.

Is IdentityFirst read-only?

MRI and assessment-led engagements are read-only. All assessment connectors operate in discovery mode. Higher-tier write-capable workflows exist separately in the broader platform, but they require explicit human approval, separate entitlement, and written scope; nothing writes automatically.

What connectors are available?

The public connector registry currently shows 5 GA connectors (AWS IAM, Entra ID, Google Workspace, Okta, ServiceNow), 9 Beta connectors, and 55 Experimental connectors. The standard public launch promise is narrower than the full registry: default MRI delivery starts with the launch-core sources agreed in writing, and controlled-scope connectors such as ServiceNow are used only where maturity and written scope support them. The registry at /api/connectors/certifications is the authoritative public source if counts change.

How long does deployment take?

Typically 1 to 3 days for an initial launch-core assessment once scope, access, and connector prerequisites are agreed. The standard SaaS assessment path usually avoids infrastructure changes. Connectors use read-only API tokens or approved collection methods and do not require agents installed on your servers for the default MRI path.

What does Beta mean for connectors?

Beta means the connector has meaningful implementation progress but still needs controlled-use validation before it is treated as production-mature. We are transparent about connector maturity. A Beta connector means we will validate it with you in scope before relying on it for production governance or strong commercial promises.

Is IdentityFirst certified?

Yes. IdentityFirst is Cyber Essentials Certified and ICO Registered (reference ZC031428). A SOC 2 Type II audit programme is currently in progress.

Where is data processed?

That depends on the deployment model and contract. UK engagements are usually UK-hosted by default. SaaS deployments run in the contracted region, and customer-hosted or on-premises deployments keep data within customer infrastructure. Regional processing and retention terms are agreed in writing rather than assumed from this page alone.

Do you store our identity data?

There is no persistent raw identity store by default. Retention depends on the engagement, deployment model, and DPA. Customer-hosted deployments can keep data entirely within customer infrastructure, and scoped assessment retention terms are agreed in writing.

Is IdentityFirst GDPR compliant?

Yes. IdentityFirst Ltd is registered with the ICO (reference ZC031428). A Data Processing Agreement is available for all engagements. Regional processing and transfer terms are documented in the DPA rather than implied generically on this page.

How do engagements start?

We start with a scoped commercial discussion. There is no free trial or free Proof of Concept. The exact delivery model, timeline, and commercial terms are agreed in writing before work begins, and we do not promise what we cannot evidence or deliver.

How does pricing work?

MRI is the current GA commercial offer. Core is discussed through scoped rollout conversations while release gaps close. Enhanced and AISF are beta-only and available only to approved testers under written beta terms, not as general public price-list products.

What is included in a scoped engagement?

That depends on the written scope. Engagements are defined case by case around the connectors, delivery boundary, reporting expectations, and operating model that are actually in scope. We keep the public site factual and avoid promising fixed packages that may not fit the real requirement.

FAQ

Frequently asked questions

Everything you need to know about the IdentityFirst platform, connectors, certifications, and how to get started.

Platform & Technical

: IdentityFirst is a shared identity security product family. MRI is the current GA offer: a read-only assessment-led service for identity discovery, risk scoring, and reporting. Core is the next governed release path in the same product family. Enhanced and AISF are beta-only surfaces for approved testers under written beta terms.
: MRI and assessment-led engagements are read-only. All assessment connectors operate in discovery mode. Higher-tier write-capable workflows exist separately in the broader platform, but they require explicit human approval, separate entitlement, and written scope; nothing writes automatically.
: The public connector registry currently shows 5 GA connectors (AWS IAM, Entra ID, Google Workspace, Okta, ServiceNow), 9 Beta connectors, and 55 Experimental connectors. The standard public launch promise is narrower than the full registry: default MRI delivery starts with the launch-core sources agreed in writing, and controlled-scope connectors such as ServiceNow are used only where maturity and written scope support them. The registry at /api/connectors/certifications is the authoritative public source if counts change.
: Typically 1 to 3 days for an initial launch-core assessment once scope, access, and connector prerequisites are agreed. The standard SaaS assessment path usually avoids infrastructure changes. Connectors use read-only API tokens or approved collection methods and do not require agents installed on your servers for the default MRI path.
: Beta means the connector has meaningful implementation progress but still needs controlled-use validation before it is treated as production-mature. We are transparent about connector maturity. A Beta connector means we will validate it with you in scope before relying on it for production governance or strong commercial promises.

Security & Compliance

: Yes. IdentityFirst is Cyber Essentials Certified and ICO Registered (reference ZC031428). A SOC 2 Type II audit programme is currently in progress.
: That depends on the deployment model and contract. UK engagements are usually UK-hosted by default. SaaS deployments run in the contracted region, and customer-hosted or on-premises deployments keep data within customer infrastructure. Regional processing and retention terms are agreed in writing rather than assumed from this page alone.
: There is no persistent raw identity store by default. Retention depends on the engagement, deployment model, and DPA. Customer-hosted deployments can keep data entirely within customer infrastructure, and scoped assessment retention terms are agreed in writing.
: Yes. IdentityFirst Ltd is registered with the ICO (reference ZC031428). A Data Processing Agreement is available for all engagements. Regional processing and transfer terms are documented in the DPA rather than implied generically on this page.

Commercial

: We start with a scoped commercial discussion. There is no free trial or free Proof of Concept. The exact delivery model, timeline, and commercial terms are agreed in writing before work begins, and we do not promise what we cannot evidence or deliver.
: MRI is the current GA commercial offer. Core is discussed through scoped rollout conversations while release gaps close. Enhanced and AISF are beta-only and available only to approved testers under written beta terms, not as general public price-list products.
: That depends on the written scope. Engagements are defined case by case around the connectors, delivery boundary, reporting expectations, and operating model that are actually in scope. We keep the public site factual and avoid promising fixed packages that may not fit the real requirement.

Still have questions?

Get in touch and we will respond within one business day.